Data Protection – Q&A

(Photo: www.flickr.com/photos/rh2ox/ )

(Photo: www.flickr.com/photos/rh2ox/ )

 

1.     How do 3rd party companies store customer’s data? And how do they ensure data is handled properly, such as the removal of names from the database?

Any 3rd party company that stores customer data must register with the state and comply with strict local data protection laws.  Legislation requires that data only be collected for specific and justifiable reasons, adequately protected against theft or damage, and deleted after being used for its intended purpose.

 2.     What is the Data Protection Act? What does it cover and whom does it protect?

The UK’s Data Protection Act of 1998 was passed by parliament to regulate the way organisations collect and store personal information.  It protects anyone whose information is stored in a database and safeguards privacy by defining eight strict Data Protection Principles, which require companies to use information:

  • Fairly and lawfully
  • Only for clearly stated, specific purposes
  • In a way that is “adequate, relevant, and not excessive” for the purposes it was collected
  • Only if it is accurate and kept up-to-date
  • Only so long as it is needed.  Data cannot be kept longer than necessary.
  • Only in accordance with the public’s data protection rights
  • Only if the organisation takes appropriate measures to protect the data against unauthorised access or damage
  • Only in the UK, EEA, or one of the countries on the European Commission’s list of countries with approved data protection legislation in place.

The act also gives citizens the right to know exactly what information an organisation has about them, along with the right to have any incorrect information revised or deleted.

3.     What regulating bodies do telecommunication companies have to answer to? Does it depend on the type of calls being handled?

The Information Commissioner’s Office (ICO) is the primary regulating body in the UK.  They maintain a mandatory registry of all data collectors, conduct regular audits, investigate complaints from the public, and monitor compliance.  Working closely with the Ministry of Justice, the ICO also helps to prosecute and punish offending organisations.

 4.     If a business was to outsource its telecommunications abroad, how do these laws differ from country to country?

The European Economic Area (EEA) has data protection rules in place that meet the standards of the UK’s Data Protection Act, meaning that British companies are free to send data into any EU country.  Outside the EEA, however, there are only a handful of approved nations where data can legally be sent.  In the USA, only organisations registered with the United States Safe Harbor program are eligible to receive data.  But Canada, Argentina, Australia, New Zealand, Switzerland, Uruguay, and a few others have been fully approved by the European Commission.

 a)    What are the issues that can arise using a company that is based abroad?

Apart from it being illegal under the Data Protection Act to send information to countries not on the approved list, other issues can arise due to changing legislation.  Countries are occasionally added to or removed from the EC’s approved list, which in some cases has serious consequences for businesses storing information internationally.

It is also important to understand that companies who send data overseas are often subject to punishments for violations made by the foreign organisations they transferred data to.  There are also various laws concerning how data is transferred and where it is stored, which all organisations must comply with when sending personal information abroad.  Many companies are also required to inform all relevant parties that their data will be transferred internationally to a third party.

 b) Do companies have to comply with foreign laws in addition to the laws in place at home?

Yes, although companies in the EEA and on the European Commission’s approved list have similar legislation in place that rarely conflicts with the UK’s Data Protection Act.

 5.     What legal obligations do telecommunication companies have to comply with if data has been mishandled?

  •  Companies are legally obligated to inform all relevant parties about any breach of data security or mishandling. If possible, they must also seek assistance from other organisations (banks, for example) in order to minimize the risks to those whose data was compromised.
  • Similarly, all data processors are obligated to inform data controllers immediately in the event of a mishandling.
  • When data is compromised, organisations are also required to report the breach immediately to the Office of the Data Protection Commissioner, which will often request a detailed written report of the offense and sometimes launch an investigation.
  • The company must also keep a written record of any and all data mishandlings and/or security breaches.
  • Finally, some offenders will be required to compensate those whose data they jeopardised in the event that any losses are incurred.

 6.     How can you ensure your customers’ calls are being handled professionally, are there procedures in place or are there procedures that every company should implement?

Before contracting, companies should always check with the ICO to find out if the 3rd party organisation has a history of complaints or violations.  They should also thoroughly examine the company’s internal data management and security protocol, run regular audits, and solicit independent feedback from customers about their experiences with the 3rd party.

 7.     If you are using social media as a customer service channel, how does this fit with the data protection act? If it doesn’t, should a company have an internal policy on this?

Information on social media is in the public domain, and is therefore not subject to the Data Protection Act unless it is collected and/or stored.  In that case, it receives the same legal protection as other forms of data.  But companies should always have internal policies in place to monitor and safeguard the channels they use to communicate with and obtain personal information from customers.

 8.     As a company that handles calls for clients in a wide range of industries, how can you ensure that you are compliant with each client’s specific industry regulations?

When it comes to data protection, the legislation spans all industries.  But with each new client, the company is inevitably faced with a unique set of obligations, technicalities, and challenges.  So we always take time to consult with the client regarding industry standards and carefully draft a set of guidelines to maintain internal compliance.

 9.     Do your employees have to follow certain protocol to ensure call recordings fall within DPA guidelines?

Yes.  We make careful records of each call to ensure that data is never stored longer than allowed by the DPA and our operators follow a strict system to insure that all data is stored securely and accurately within our database.

 10.  How will call recording systems comply with any future changes in legal regulations or codes of practice?

At Frontline, we aim to keep our internal data protection policies far more secure than the DPA legally obliges us to, and have therefore made privacy and security top priorities within our organisation.  So if future regulations or guidelines are developed to help us better safeguard our customers’ data, we will embrace them wholeheartedly and implement them immediately.